Usage

Arch implementation

Packages are signed using makepkg --sign. This creates a detached binary signature (.sig).

The signed package is added to the repository database, and a detached signature of the repository database will be generated, using repo-add --verify --sign. The command line options indicate that the signature of the old database will be verified, and that the new database will be signed. Independently of these options, repo-add will detect the detached signature, convert it via base64 to ASCII, and add it to the repository database.

pacman will download both the databases and the database signatures and verify the databases upon database sync and each time the database is opened. When a package is loaded, its signature will be checked whether that comes from a repo database or a standalone .sig file.

pacman-key exists for the sake of managing keys, but there is missing functionality

Signature checking

To prepare for checking signed packages, run the pacman-key command shown below, with root permissions. It generates a random key and a “keyring” in /etc/pacman.d/gnupg/. You may need to move the mouse around to generate entropy for the key.

# pacman-key --init

If this command is never run, Pacman will abort saying “failed to commit transaction (invalid or corrupted package [PGP signature])” when it encounters packages signed with an unknown key.

By default, Pacman automatically accepts unsigned packages, but signed ones are rejected with an error unless the Pacman considers the key to be “trusted”. This corresponds to SigLevel = Optional in pacman.conf; see Package and database signature checking in the pacman.conf man page for further information.

Pacman usually prompts to add new keys of signed packages to its keyring. Keys can be manually compared against the lists of Arch developers and trusted users on the Arch Linux web site. If the SigLevel configuration specifies “TrustAll”, Pacman considers keys to be trusted once they are imported to the keyring, so it will then continue installing each package. If Pacman does not prompt to add new keys (cannot find on configured key server perhaps?), they could still be added manually by using the pacman-key tool.

If SigLevel specifies TrustedOnly (the default), Pacman also considers the “trust level” for each key. A key is considered trusted if it is locally signed, or it has a sufficient level in the Pacman web of trust. Locally signing a key (with pacman-key --lsign) only really works after the key has already been imported.

If there is a long time and failure right after checking packages integrity, edit /etc/pacman.d/gnupg/gpg.conf to use a different key server, for example keyserver hkp://pgp.mit.edu instead of keys.gnupg.net.

Course of action for development

Requirements

These are the changes that need to be made before Arch can implement package signing.

arch-keyring package

Some package will be created that contains all necessary keys for an Arch user to validate package signatures.

Key Policy

Key creation, submission and verification

Solely the responsibility of the developers. This page gives the current progress.

Testing

pactests must be written for all signing functionality. This is a big issue; if you would like to contribute, this is a good place to do so.

Documentation

Documentation for the new features must be reviewed and finalized.

Additional Features

These are important but non-essential features that should be added soon after package signing is implemented. Work on these issues can start now, but priority should be given to the "requirements" above.

Package validation without root privileges

Currently, pacman's GnuPG home directory (aka gpgdir, typically /etc/pacman.d/gnupg/) must be locked in order to check a package's signature. Only root can perform this locking, so either locking must be disabled for read-only accesses, or the directory must be copied/linked to a writable location when a user is performing package verification.

Timeline for increasing security

A timeline for transitioning between some unsigned packages and a fully-signed set of packages must be made. This is the responsibility of the developers.

Gentoo

Red Hat/Fedora/CentOS

Signature type: GPG

Stored: in the RPM

A RPM package is a tarball of installed files to which is added a header made up of metadata (name of package, version, ...). This metadata can contain a GPG signature of the tarball. See the file format specification for details.

NB: packages built for the Red Hat Network are signed with the Red Hat official key(s) but technically a RPM can be signed using any other key (one can even add another signature to the RPM)

To check a package correction, one must first import the signer's key first:
Example for Red Hat: